TrueCrypt has shut down: Alternatives

from JoeUser Forums

 

Because MS has ended support for XP (unless you’re the IRS), the devs of TrueCrypt has ended development of its software. When this notification came out, the wisely suspicious of hackers surfaced, but it’s true…TrueCrypt is dead. You can still get it, but it’s digitally signed with the warning (SourceForge). It will allow you to decrypt your encrypted files/disk, but you won’t be able to encrypt new files. The warning has instructions on how to move to MS’s BitLocker services.

There are alternatives. One is PGPDisk (Symantec $110).

Free tools? DiskCryptor, Tomb,  and a list you can obtain here.

You can also use the integrated support for encryption in Vista, 7, and 8.

So…if you’re using TrueCrypt whether “the end” is true or false, You should probably migrate to another encryption software.

Source:

http://securitywatch.pcmag.com/security/324131-truecrypt-shut-down-what-to-use-now-to-encrypt-your-data

36,511 views 15 replies
Reply #1 from Elemental Forums Top

TrueCrypt was about providing a safe alternative that you could be reasonably sure NSA and cronies hadn't touched. Why would they recommend bitlocker? Makes no sense to me.

Reply #2 from JoeUser Forums Top

My system is encrypted with TC already.  Would it not continue to function and be adequate as long as I have the password?  I'm not clear why I would need to change to something like DiskCryptor, unless what TC's announcement means is that my existing encryption is vulnerable.

Reviewed the tute video on DiskCryptor, BTW, and it's actually an easier setup than TC was.  If I were to decide to change to DiskCryptor, I assume the system would need to be decrypted first.

 

Thanks for the post, Doc.

ObjectDock - Access shortcuts and frequently used applications from an animated dock.
Reply #3 from WinCustomize Forums Top

Quoting Heavenfall, reply 1

TrueCrypt was about providing a safe alternative that you could be reasonably sure NSA and cronies hadn't touched. Why would they recommend bitlocker? Makes no sense to me.
End of Heavenfall's quote

 

yeah, their farewell message is so absurd that it looks suspicious.

i'd rather recommend to use the previous version of TrueCrypt and avoid updating. it is probably too secure for it's own good. :/

Reply #4 from WinCustomize Forums Top

Quoting Daiwa, reply 2

My system is encrypted with TC already.  Would it not continue to function and be adequate as long as I have the password?  I'm not clear why I would need to change to something like DiskCryptor, unless what TC's announcement means is that my existing encryption is vulnerable.

Reviewed the tute video on DiskCryptor, BTW, and it's actually an easier setup than TC was.  If I were to decide to change to DiskCryptor, I assume the system would need to be decrypted first.

 

Thanks for the post, Doc.
End of Daiwa's quote

Welcome.

You can still get it, but it’s digitally signed with the warning (SourceForge). It will allow you to decrypt your encrypted files/disk, but you won’t be able to encrypt new files.
End of quote

Reply #5 from JoeUser Forums Top

My question wasn't clear.  As long as I don't update to the new version of TC, my existing TC encryption should be unaffected should it not?  Does the warning apply only to version 7.2 or to all versions of TC?  In what I've read, some seem to be generalizing the warning, some not, but this appears to be based on assumption not fact.

Reply #6 from JoeUser Forums Top

Quoting moshi, reply 3
it is probably too secure for it's own good.
End of moshi's quote

That crossed my mind, too, moshi.

With medical information, so-called PHI, I'm required by the feds to use encryption that is unbreakable... except by them, apparently.

Reply #7 from JoeUser Forums Top

Reviewing the SourceForge TrueCrypt page (how to migrate an encrypted volume/drive), it certainly implies that all versions of TrueCrypt are not secure (otherwise, why would migration be necessary?), but doesn't explicitly declare that to be the case.  Sad that we're left to puzzle that out.

My guess is the feds would consider TrueCrypt to be 'inadequate' now in the event of an audit, whatever version, but damn, the process of decrypting & re-encrypting is a pain.

Reply #8 from WinCustomize Forums Top

I think it isn't secure...or won't be shortly...

I would think at least to avoid the Federal idiocy you could ask them which is ok for use, since TC has crapped out, no? 

Reply #9 from Stardock Forums Top

Worth noting that the TrueCrypt security audit is going to proceed regardless. So it should be known before too long if there really is some major issue that is not feasible to fix, or if it would be practical for someone else to fork or take over the project.

 

My guess is the feds would consider TrueCrypt to be 'inadequate' now in the event of an audit, whatever version, but damn, the process of decrypting & re-encrypting is a pain.
End of quote

Do the HIPAA rules actually specify acceptable ciphers and key lengths, key management requirements, etc? In the financial world the big one is GLBA, which only stipulates that measures must be planned, documented, and implemented to protect NPI but do not specify what those measures need to be.

Though even if there isn't a strict requirement, if there is a known vulnerability (there isn't at this point) that you are disregarding that could be a civil liability should a breach occur. I'd expect that any vulnerability that does exist would be in the realm of key strength or security, since they are using standard ciphers.

Reply #10 from JoeUser Forums Top

The HIPAA rules are like GLBA (it appears):

A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv))
End of quote

While the Feds don't specify which OS's are acceptable, the OS must be regularly maintained with security updates & patches to remain HIPAA & HITECH compliant.  Which is why we had to replace all our XP workstations in March.  My suspicion is that if the encryption software is abandoned by its developer, we might face a similar 'non-compliance' issue.  Only matters if audited or breached, but penalties are ridiculous if they decide (after the fact, of course) that you should or could have taken steps to mitigate the risk and didn't.  Not clear to me what the risk is yet, so I'm going to let the dust settle a bit & review the issue in due time with the tech who maintains our network & machines.

Reply #11 from JoeUser Forums Top

On a slightly OT note, CMS has a 'helpful tool' for use as a sort of template for conducting a security risk analysis for practices using EHR's, which all covered entities are required to do annually.  I downloaded and started through the assessment.  After an hour and a half of mind-numbing questions on all sorts of minutiae (Have you created an action plan for a lightning strike within 200 yards of your facility?  And distributed it to all appropriate personnel?  Had them review and sign off on the plan?  Designated a Responsible Party to initiate and implement the plan? You get the drift.) I glanced up at the progress bar & saw I was only half way through.

I got up, called my dentist and asked for an emergency root canal.  So I'd feel better.

Reply #13 from WinCustomize Forums Top

While it's still ok to use, it won't let you encrypt new files.

Also, as time goes on, it will become less secure. I believe it's better to find something reliable now, since your real concern is the security of the patients' data.

Reply #14 from JoeUser Forums Top

7.1a still encrypts.  I think it's reasonable to wait & see what the audit reveals before switching.  YMMV.

DiskCryptor looks like a really good alternative, but the process of creating the bootable LiveCD prior to encryption is a bit over my head and I'm not what you'd call a novice (not to mention requires media not available to me).